What the IRS Actually Says About Offshore Tax Preparation? And Why Most CPA Firms Have It Backwards

There is a conversation happening in CPA firms across the country right now, usually quietly, sometimes in whispers. It goes something like this: "I have heard you can use overseas preparers, but isn't that risky? What if clients find out? What does the IRS say about it?"

The answers to those questions are not what most people assume. The gap between what firm owners fear and what the regulations actually require is wide enough that firms are making expensive decisions based on the wrong information. This article covers what the IRS actually says, what is genuinely required, and where the real risk lives.

The IRS Has Had a Clear Position on This Since 2006

In 2006, the IRS issued notice of proposed rulemaking stating explicitly that foreign outsourcing is not prohibited by the regulations, which permit disclosure of tax return information outside the United States if the taxpayer consents to such disclosure (The CPA Journal, 2025).

That language was not buried in fine print. It was the IRS drawing a bright line: offshore preparation is permitted. The mechanism that makes it permitted is client consent, obtained properly, before any data is shared. That is not a loophole. That is the framework. The framework has been in place for nearly two decades.

In the years since, offshore preparation has become standard practice at large accounting firms. Yet at many independent CPA firms, the conversation is still treated as a gray area at best. That is largely because the discussion almost always begins with fear rather than facts. 

What IRC Section 7216 Actually Requires

According to the Tax Advisor (2024), IRC Section 7216 is the criminal provision that governs how tax return preparers handle client data. The core rule: a tax return preparer cannot knowingly or recklessly disclose or use taxpayer information for any purpose other than preparing the tax return, unless the taxpayer provides explicit, written consent.

If you engage an offshore preparation partner, you are disclosing that information to a preparer outside the United States. That disclosure requires client consent. The consent must be written, affirmative, signed by the taxpayer, and clearly disclose that the client’s information will be sent overseas (Credfino, 2025).

$250

civil penalty per unauthorized disclosure, up to $10,000/year

$1,000

criminal fine per violation plus up to one year imprisonment

$100K

penalty per violation if connected to identity theft

When those requirements are met, offshore preparation is fully compliant. The penalties are real. They are also entirely avoidable.

The Part That Gets Most Firms Stuck: Client Consent

The common assumption is that if you tell clients their returns are being prepared by someone outside the US, they will object. Maybe they will leave. Maybe they will feel deceived. The consent form becomes something to dread.

As reported by Finsmart Accounting (2024), the reality experienced by firms that have gone through the process is far less dramatic. Most clients, when presented with a straightforward consent form as part of their standard engagement documentation, sign it without incident.

The consent process, done well, is a transparency exercise, not a confession. You are telling your client that trained professionals will prepare their return, a licensed CPA will review and sign everything, and their data is protected by documented security protocols. Most clients understand this the same way they understand any other professional service delegation.

The Real Risk Is Offshore Without Controls

The firms that face liability exposure under Section 7216 are not the firms that obtained consent and worked with a security-compliant partner. They are the firms that quietly used unverified freelancers, shared login credentials informally, moved client data in ways that were never documented, and had no security program on the receiving end.

The compliance question is not whether to use offshore preparation. It is whether your preparation partner has documented security policies, MFA on every account, encryption standards, a written incident response plan, and verifiable access controls. When the answer is yes, the compliance risk is manageable and the legal framework fully supports the arrangement.

The Talent Shortage Makes This More Urgent

More than 300,000 accountants and auditors have left the field since 2020 (Tax Notes, 2023). The workforce has contracted by 17%. Accounting degrees fell 6.6% in the most recent year. The AACSB survey found that in 2024, 83% of financial leaders reported that  they could not find qualified accounting talent, up from 70% in 2022.

The firms that are growing are the ones that separated preparation work from review work, built their compliance structures carefully, and created a model where licensed CPAs spend their time doing what only licensed CPAs can do.

REAL-WORLD EXAMPLE

How Finaceal Helped an Austin CPA Firm Turn Compliance Fear into a Competitive Advantage

A solo-partner CPA firm in Austin, Texas had been considering offshore preparation support for over a year but kept delaying the decision on one question: what happens when I tell my clients? The managing partner had built her practice on personal relationships and feared the consent conversation would feel like a breach of trust. She delayed a full season, did everything in-house, and lost her best senior staff member that May.

Before engaging Finaceal, she reviewed the implemented Security Program, confirmed MFA enforcement, biometric access controls, and the 24-hour breach notification commitment, then incorporated Finaceal's sample Section 7216 disclosure clause into her engagement letter renewal. Of 280 clients who received the updated letter, 271 signed without any comment. Seven asked a brief clarifying question by email. Two opted out and remained clients on a non-outsourced basis. Finaceal handled first-draft preparation for 210 returns that season. The partner's average review time per return dropped because preparation was consistent and workpapers arrived organized to her specification. The season ended without a staff departure. The fear that had cost her a full season of capacity relief turned out, in her own words, to be almost entirely in her head.

If Your Firm Is Still Hesitating on This Question

The compliance framework is clear. The client consent process, done professionally, is far less fraught than most firm owners anticipate. The security posture of the preparation partner is what actually determines whether the arrangement is low-risk or high-risk. The firms that have built this correctly are not taking on more risk than before. They are reducing it, because the preparation work is now happening in a documented, auditable, security-governed environment instead of in an ad hoc, understaffed, overtime-fueled one.

How Finaceal Handles Compliance for Every Firm We Work With

Finaceal operates as a draft-only preparation partner. Our staff hold no PTINs and sign no returns. We work inside your existing software so your client data never leaves your infrastructure. We maintain a Written Information Security Program aligned to NIST, CIS Controls v8, and the FTC Safeguards Rule. MFA is enforced on every account. We provide a sample Section 7216 disclosure clause on request. We notify you of any confirmed security incident within 24 hours.

Start with a free two-week pilot. No invoice either way.

finaceal.com  |  Kathmandu, Nepal  |  Serving US CPA firms across all 50 states